Global Privacy Control (GPC): What It Is and Why Your Website Must Support It

What Is Global Privacy Control?

Global Privacy Control (GPC) is a browser-level privacy signal that communicates a user's preference to opt out of the sale or sharing of their personal information. Think of it as a universal "Do Not Sell" switch that works across every website the user visits.

When enabled, the browser sends a Sec-GPC: 1 HTTP header with every request, along with a navigator.globalPrivacyControl = true JavaScript property. Websites that receive this signal are expected to honour it.

Is GPC Legally Binding?

Yes, under California law. The California Attorney General and the CPPA (California Privacy Protection Agency) have confirmed that GPC is a valid opt-out mechanism under CCPA/CPRA. If your business is subject to CCPA and you receive a GPC signal from a California user, you must treat it as a legally binding opt-out of data sales and sharing.

In Colorado, the Colorado Privacy Act also recognises universal opt-out mechanisms like GPC. Connecticut and other states with privacy laws are following suit.

In the EU, while GPC is not explicitly referenced in GDPR, the principle aligns with the GDPR's requirement to respect user preferences. Some EU regulators view it favourably as an additional consent signal.

Which Browsers Support GPC?

• Firefox — built-in support, disabled by default (user must enable in settings)
• Brave — enabled by default for all users
• DuckDuckGo browser — enabled by default
• Safari — not natively supported (but available via extensions)
• Chrome — available via extensions like Privacy Badger and DuckDuckGo Privacy Essentials

As awareness grows, GPC adoption is increasing steadily. An estimated 50 million+ users currently have GPC enabled.

What Happens If You Ignore GPC?

The CPPA has already taken enforcement actions against companies that ignore GPC signals. In 2024, Sephora paid a $1.2 million settlement partly because it failed to honour GPC opt-out signals on its website.

Ignoring GPC means:

• You're violating CCPA if GPC users are California residents
• Fines of $2,500 per non-intentional violation, $7,500 per intentional violation
• Each pageview by a GPC user that triggers data sharing could be a separate violation

How to Implement GPC Support

There are two things your website must do:

1. Detect the GPC signal — check for navigator.globalPrivacyControl === true or the Sec-GPC header
2. Act on it — if detected, treat the user as having opted out of data sales/sharing. Disable marketing cookies, ad pixels, and any data-sharing scripts.

How LegalBanner Handles GPC

LegalBanner automatically detects GPC signals and adjusts consent accordingly:

• If GPC is detected, marketing and advertising categories are automatically set to "denied"
• The consent banner still appears (to handle analytics and functional cookies), but marketing scripts are pre-blocked
• The GPC detection is logged in the consent audit trail
• Users can still manually override if they choose (GPC is a default, not an irreversible lock)

No configuration needed. GPC support is built into every LegalBanner deployment.